Revised Cybersecurity Act Makes Meaningful Progress on Privacy

A new version of the Cybersecurity Act of 2012 was introduced last night (PDF), and a vote on the Senate floor reportedly may occur as early as next week. Although we’re still digesting the 211-page bill, its revised information sharing title stands out for its meaningful safeguards regarding what cybersecurity information may be shared by providers and its limits on how government may use shared information. Such prudence is of utmost importance in any bill that gives private entities blanket immunity from civil and criminal laws, including the common law, for activities such as cybersecurity information sharing.

By way of background, our organizations—the Competitive Enterprise Institute and TechFreedom— joined several other free market groups in sending a coalition letter to House leadership back in April regarding CISPA (which ultimately passed that chamber). While we support legislation streamlining federal laws to ensure cybersecurity information flows freely among private companies and, where appropriate, to and from the government, we urged important changes to CISPA to limit potential governmental abuses and meaningfully protect individuals’ private information. Unfortunately, most of our suggestions were not reflected in the final version of that bill.

We’re very glad to see that many of our free market principles are now reflected in Title VII of the Cybersecurity Act (the part of the bill that deals with information sharing). The bill’s sponsors adopted many significant, positive changes to Title VII to better protect privacy and individual liberties, including:

Allowing individuals harmed by governmental misuse of shared cyber threat information to sue the federal government for actual or statutory damages of $1000 (whichever is greater);

Proscribing all governmental use and sharing of cyber threat information for purposes unrelated to cybersecurity, except to avert imminent threats of death or serious bodily harm or sexual exploitation of minors;

Barring the federal government from conditioning the award of a federal grant, contract, or purchase on a private entity’s sharing of cybersecurity threat information (except in limited circumstances);

Immunizing only private entities that share cybersecurity threat information upon a reasonable and good faith belief that such sharing is authorized by the Title;

Providing for meaningful oversight of information sharing and use by the Privacy and Civil Liberties Oversight Board.

We also applaud Senators Franken, Durbin, Coons, Wyden, Blumenthal, and Sanders, whose efforts made these important revisions to the Cybersecurity Act possible. It’s not every day that CEI or TechFreedom praise members of Congress—or government in general! We do so here because the changes to Title VII of the Cybersecurity Act will meaningfully reduce the likelihood that the bill, if enacted, will enable government to impermissibly access and abuse citizens’ private information. (For more on changes to the Cybersecurity Act, see this ACLU blog post by Michelle Richardson.)

To be sure, we still have serious concerns about Title VII of the bill — and even greater concerns about other provisions in the bill, especially those regulating cybersecurity of “critical infrastructure”. We’ll offer plenty of criticism about those provisions in coming days, but for now, seeing a few rays of light from Capitol Hill is enough to give us pause.

Ryan Radia / Ryan is associate director of technology studies at the Competitive Enterprise Institute, where his work focuses on adapting law and policy to the unique challenges of the information age. His research areas include privacy, IP telecommunications, competition policy, and media regulation.